GLOBALSIGN CERTIFICATE POLICY - DATE: MARCH 30, 2021

Page created by Harold Baldwin
 
CONTINUE READING
CA                    Digitally signed by
                                                                                    CA Governance
                                                              Governance
                                                                                    Policy Authority
                                                              Policy                Date: 2021.04.29
                                                              Authority             15:51:07 +02'00'

GlobalSign
Certificate Policy

Date: March 30, 2021
Effective date for Qualified Timestamping, Qualified Web Authentication Certificates,
Qualified Certificates for Electronic Signatures and Qualified Certificates for Electronic
Seals: {normal date + 2 weeks}

Version: v6.7
Table of Contents
TABLE OF CONTENTS ................................................................................................................................ 2
DOCUMENT HISTORY ............................................................................................................................... 8
ACKNOWLEDGMENTS .............................................................................................................................10
1.0       INTRODUCTION ...........................................................................................................................11
   1.1       OVERVIEW ........................................................................................................................................ 12
                  Certificate Naming ................................................................................................................. 13
                  Additional requirements for Trusted Root Issuer CAs ............................................................ 15
   1.2       DOCUMENT NAME AND IDENTIFICATION ................................................................................................. 16
   1.3       PKI PARTICIPANTS .............................................................................................................................. 22
                  Certification Authorities (“Issuer CAs”) .................................................................................. 22
                  Registration Authorities ......................................................................................................... 22
                  Subscribers ............................................................................................................................. 23
                  Relying Parties ....................................................................................................................... 24
                  Other Participants .................................................................................................................. 24
   1.4       CERTIFICATE USAGE ............................................................................................................................ 24
                  Appropriate Certificate Usage ............................................................................................... 24
                  Prohibited Certificate Usage .................................................................................................. 24
   1.5       POLICY ADMINISTRATION ..................................................................................................................... 25
                  Organization Administering the Document ........................................................................... 25
                  Contact Person ....................................................................................................................... 25
                  Person Determining CP Suitability for the Policy ................................................................... 25
                  CP Approval Procedures ......................................................................................................... 26
   1.6       DEFINITIONS AND ACRONYMS ............................................................................................................... 26
2.0       PUBLICATION AND REPOSITORY RESPONSIBILITIES .....................................................................35
   2.1       REPOSITORIES .................................................................................................................................... 35
   2.2       PUBLICATION OF CERTIFICATE INFORMATION ........................................................................................... 35
   2.3       TIME OR FREQUENCY OF PUBLICATION.................................................................................................... 35
   2.4       ACCESS CONTROLS ON REPOSITORIES ..................................................................................................... 35
3.0       IDENTIFICATION AND AUTHENTICATION .....................................................................................35
   3.1       NAMING ........................................................................................................................................... 36
                   Types of Names...................................................................................................................... 36
                   Need for Names to be Meaningful ........................................................................................ 36
                   Anonymity or Pseudonymity of Subscribers ........................................................................... 36
                   Rules for Interpreting Various Name Forms .......................................................................... 36
                   Uniqueness of Names ............................................................................................................ 36
                   Recognition, Authentication, and Role of Trademarks .......................................................... 36
   3.2       INITIAL IDENTITY VALIDATION................................................................................................................ 36
                   Method to Prove Possession of Private Key ........................................................................... 36
                   Authentication of Organization Identity ................................................................................ 36
                   Authentication of Individual identity ..................................................................................... 38
                   Non-Verified Subscriber Information ..................................................................................... 42
                   Validation of Authority .......................................................................................................... 42
                   Criteria for Interoperation ..................................................................................................... 44
                   Authentication of Domain Name ........................................................................................... 44
                   Authentication of Email addresses ........................................................................................ 44
   3.3       IDENTIFICATION AND AUTHENTICATION FOR RE-KEY REQUESTS.................................................................... 44
                   Identification and Authentication for Routine Re-key ........................................................... 44
                   Identification and Authentication for Reissuance after Revocation ...................................... 45
                   Re-verification and Revalidation of Identity When Certificate Information Changes ............ 45
                   Identification and Authentication for Re-key After Revocation ............................................. 45

GlobalSign CP (Certificate Policy)                                                                                                                    2 of 81
Version: 6.7
3.4       IDENTIFICATION AND AUTHENTICATION FOR REVOCATION REQUEST ............................................................. 45
4.0      CERTIFICATE LIFE CYCLE OPERATIONAL REQUIREMENTS .............................................................46
  4.1    CERTIFICATE APPLICATION .................................................................................................................... 46
              Who Can Submit a Certificate Application ............................................................................. 46
              Enrollment Process and Responsibilities ................................................................................ 46
  4.2    CERTIFICATE APPLICATION PROCESSING .................................................................................................. 46
              Performing Identification and Authentication Functions ....................................................... 46
              Approval or Rejection of Certificate Applications .................................................................. 46
              Time to Process Certificate Applications ................................................................................ 46
  4.3    CERTIFICATE ISSUANCE ........................................................................................................................ 47
              CA Actions during Certificate Issuance .................................................................................. 47
              Notifications to Subscriber by the CA of Issuance of Certificate ............................................ 47
              Notification to North American Energy Standards Board (NAESB) Subscribers by the CA of
    Issuance of Certificate ........................................................................................................................... 47
  4.4    CERTIFICATE ACCEPTANCE .................................................................................................................... 47
              Conduct Constituting Certificate Acceptance ........................................................................ 47
              Publication of the Certificate by the CA ................................................................................. 47
              Notification of Certificate Issuance by the CA to Other Entities ............................................ 47
  4.5    KEY PAIR AND CERTIFICATE USAGE......................................................................................................... 47
              Subscriber Private Key and Certificate Usage ........................................................................ 47
              Relying Party Public Key and Certificate Usage ..................................................................... 48
  4.6    CERTIFICATE RENEWAL ........................................................................................................................ 48
              Circumstances for Certificate Renewal .................................................................................. 48
              Who May Request Renewal ................................................................................................... 48
              Processing Certificate Renewal Requests .............................................................................. 48
              Notification of New Certificate Issuance to Subscriber .......................................................... 48
              Conduct Constituting Acceptance of a Renewal Certificate ................................................... 48
              Publication of the Renewal Certificate by the CA .................................................................. 48
              Notification of Certificate Issuance by the CA to Other Entities ............................................ 48
  4.7    CERTIFICATE RE-KEY ........................................................................................................................... 48
              Circumstances for Certificate Re-Key ..................................................................................... 48
              Who May Request Certification of a New Public Key ............................................................ 49
              Processing Certificate Re-Keying Requests ............................................................................ 49
              Notification of New Certificate Issuance to Subscriber .......................................................... 49
              Conduct Constituting Acceptance of a Re-Keyed Certificate ................................................. 49
              Publication of the Re-Keyed Certificate by the CA ................................................................. 49
              Notification of Certificate Issuance by the CA to Other Entities ............................................ 49
  4.8    CERTIFICATE MODIFICATION ................................................................................................................. 49
              Circumstances for Certificate Modification ........................................................................... 49
              Who May Request Certificate Modification........................................................................... 49
              Processing Certificate Modification Requests ........................................................................ 49
              Notification of New Certificate Issuance to Subscriber .......................................................... 50
              Conduct Constituting Acceptance of Modified Certificate ..................................................... 50
              Publication of the Modified Certificate by the CA .................................................................. 50
              Notification of Certificate Issuance by the CA to Other Entities ............................................ 50
  4.9    CERTIFICATE REVOCATION AND SUSPENSION ............................................................................................ 50
              Circumstances for Revocation ............................................................................................... 50
              Who Can Request Revocation ................................................................................................ 52
              Procedure for Revocation Request ......................................................................................... 52
              Revocation Request Grace Period .......................................................................................... 53
              Time Within Which CA Must Process the Revocation Request .............................................. 53
              Revocation Checking Requirements for Relying Parties ........................................................ 53
              CRL Issuance Frequency ......................................................................................................... 53
              Maximum Latency for CRLs ................................................................................................... 54
              On-Line Revocation/Status Checking Availability .................................................................. 54
              On-Line Revocation Checking Requirements ......................................................................... 54

GlobalSign CP (Certificate Policy)                                                                                                             3 of 81
Version: 6.7
Other Forms of Revocation Advertisements Available .......................................................... 54
                Special Requirements Related to Key Compromise ............................................................... 54
                Circumstances for Suspension ............................................................................................... 55
                Who Can Request Suspension ................................................................................................ 55
                Procedure for Suspension Request......................................................................................... 55
                Limits on Suspension Period .................................................................................................. 55
  4.10     CERTIFICATE STATUS SERVICES .............................................................................................................. 55
                Operational Characteristics ................................................................................................... 55
                Service Availability ................................................................................................................. 55
                Operational Features ............................................................................................................. 55
  4.11     END OF SUBSCRIPTION......................................................................................................................... 55
  4.12     KEY ESCROW AND RECOVERY ................................................................................................................ 56
                Key Escrow and Recovery Policy and Practices ...................................................................... 56
                Session Key Encapsulation and Recovery Policy and Practices .............................................. 56
5.0      FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS ..........................................................56
  5.1      PHYSICAL CONTROLS ........................................................................................................................... 56
                Site Location and Construction .............................................................................................. 56
                Physical Access....................................................................................................................... 56
                Power and Air Conditioning ................................................................................................... 56
                Water Exposures .................................................................................................................... 56
                Fire Prevention and Protection .............................................................................................. 56
                Media Storage ....................................................................................................................... 56
                Waste Disposal ...................................................................................................................... 56
                Off-Site Backup ...................................................................................................................... 57
  5.2      PROCEDURAL CONTROLS ...................................................................................................................... 57
                Trusted Roles ......................................................................................................................... 57
                Number of Persons Required per Task ................................................................................... 57
                Identification and Authentication for Each Role .................................................................... 57
                Roles Requiring Separation of Duties..................................................................................... 57
  5.3      PERSONNEL CONTROLS ........................................................................................................................ 58
                Qualifications, Experience, and Clearance Requirements...................................................... 58
                Background Check Procedures ............................................................................................... 58
                Training Requirements........................................................................................................... 58
                Retraining Frequency and Requirements ............................................................................... 58
                Job Rotation Frequency and Sequence .................................................................................. 59
                Sanctions for Unauthorized Actions ....................................................................................... 59
                Independent Contractor Requirements ................................................................................. 59
                Documentation Supplied to Personnel................................................................................... 59
  5.4      AUDIT LOGGING PROCEDURES .............................................................................................................. 59
                Types of Events Recorded ...................................................................................................... 59
                Frequency of Processing Log .................................................................................................. 60
                Retention Period for Audit Log .............................................................................................. 60
                Protection of Audit Log .......................................................................................................... 60
                Audit Log Backup Procedures ................................................................................................ 60
                Audit Collection System ......................................................................................................... 60
                Notification to Event-Causing Subject ................................................................................... 60
                Vulnerability Assessments ..................................................................................................... 60
  5.5      RECORDS ARCHIVAL ............................................................................................................................ 61
                Types of Records Archived ..................................................................................................... 61
                Retention Period for Archive .................................................................................................. 61
                Protection of Archive ............................................................................................................. 61
                Archive Backup Procedures .................................................................................................... 61
                Requirements for Timestamping of Records .......................................................................... 61
                Archive Collection System (Internal or External) .................................................................... 61
                Procedures to Obtain and Verify Archive Information ........................................................... 61
  5.6      KEY CHANGEOVER .............................................................................................................................. 61

GlobalSign CP (Certificate Policy)                                                                                                             4 of 81
Version: 6.7
5.7      COMPROMISE AND DISASTER RECOVERY ................................................................................................. 61
               Incident and Compromise Handling Procedures .................................................................... 61
               Computing Resources, Software, and/or Data Are Corrupted ............................................... 62
               Issuing CA Private Key Compromise Procedures .................................................................... 62
               Business Continuity Capabilities After a Disaster .................................................................. 62
  5.8      CA OR RA TERMINATION ..................................................................................................................... 62
               Successor Issuing Certification Authority ............................................................................... 63
6.0     TECHNICAL SECURITY CONTROLS.................................................................................................63
  6.1      KEY PAIR GENERATION AND INSTALLATION .............................................................................................. 63
                 Key Pair Generation ............................................................................................................... 63
                 Private Key Delivery to Subscriber ......................................................................................... 63
                 Public Key Delivery to Certificate Issuer ................................................................................. 64
                 CA Public Key Delivery to Relying Parties ............................................................................... 64
                 Key Sizes................................................................................................................................. 64
                 Public Key Parameters Generation and Quality Checking ..................................................... 64
                 Key Usage Purposes (as per X.509 v3 Key Usage Field) ......................................................... 64
  6.2      PRIVATE KEY PROTECTION AND CRYPTOGRAPHIC MODULE ENGINEERING CONTROLS ....................................... 64
                 Cryptographic Module Standards and Controls ..................................................................... 64
                 Private Key (n out of m) Multi-Person Control ....................................................................... 65
                 Private Key Escrow ................................................................................................................. 65
                 Private Key Backup ................................................................................................................ 65
                 Private Key Archival ............................................................................................................... 65
                 Private Key Transfer into or from a Cryptographic Module ................................................... 65
                 Private Key Storage on Cryptographic Module ...................................................................... 65
                 Method of Activating Private Key .......................................................................................... 65
                 Method of Deactivating Private Key ...................................................................................... 65
                 Method of Destroying Private Key ......................................................................................... 65
                 Cryptographic Module Rating ................................................................................................ 65
  6.3      OTHER ASPECTS OF KEY PAIR MANAGEMENT........................................................................................... 66
                 Public Key Archival ................................................................................................................. 66
                 Certificate Operational Periods and Key Pair Usage Periods ................................................. 66
  6.4      ACTIVATION DATA .............................................................................................................................. 66
                 Activation Data Generation and Installation ......................................................................... 66
                 Activation Data Protection .................................................................................................... 66
                 Other Aspects of Activation Data .......................................................................................... 67
  6.5      COMPUTER SECURITY CONTROLS ........................................................................................................... 67
                 Specific Computer Security Technical Requirements ............................................................. 67
                 Computer Security Rating ...................................................................................................... 67
  6.6      LIFE CYCLE TECHNICAL CONTROLS .......................................................................................................... 67
                 System Development Controls ............................................................................................... 67
                 Security Management Controls ............................................................................................. 67
                 Life Cycle Security Controls .................................................................................................... 68
  6.7      NETWORK SECURITY CONTROLS ............................................................................................................ 68
  6.8      TIMESTAMPING .................................................................................................................................. 68
7.0     CERTIFICATE, CRL, AND OCSP PROFILES .......................................................................................68
  7.1      CERTIFICATE PROFILE........................................................................................................................... 68
                Version Number(s) ................................................................................................................. 68
                Certificate Extensions ............................................................................................................ 68
                Algorithm Object Identifiers .................................................................................................. 68
                Name Forms........................................................................................................................... 68
                Name Constraints .................................................................................................................. 69
                Certificate Policy Object Identifier ......................................................................................... 69
                Usage of Policy Constraints Extension ................................................................................... 69
                Policy Qualifiers Syntax and Semantics ................................................................................. 69
                Processing Semantics for the Critical Certificate Policies Extension ...................................... 69

GlobalSign CP (Certificate Policy)                                                                                                                5 of 81
Version: 6.7
Serial Numbers....................................................................................................................... 69
                Special Provisions for Qualified Certificates ........................................................................... 69
  7.2      CRL PROFILE ..................................................................................................................................... 70
                Version Number(s) ................................................................................................................. 70
                CRL and CRL Entry Extensions ................................................................................................ 70
  7.3      OCSP PROFILE................................................................................................................................... 70
                Version Number(s) ................................................................................................................. 70
                OCSP Extensions..................................................................................................................... 70
8.0      COMPLIANCE AUDIT AND OTHER ASSESSMENTS .........................................................................70
  8.1      FREQUENCY AND CIRCUMSTANCES OF ASSESSMENT .................................................................................. 70
  8.2      IDENTITY/QUALIFICATIONS OF ASSESSOR ................................................................................................ 70
  8.3      ASSESSOR’S RELATIONSHIP TO ASSESSED ENTITY....................................................................................... 71
  8.4      TOPICS COVERED BY ASSESSMENT.......................................................................................................... 71
  8.5      ACTIONS TAKEN AS A RESULT OF DEFICIENCY ........................................................................................... 71
  8.6      COMMUNICATIONS OF RESULTS ............................................................................................................ 71
  8.7      SELF-AUDIT ....................................................................................................................................... 71
9.0      OTHER BUSINESS AND LEGAL MATTERS ......................................................................................71
  9.1      FEES................................................................................................................................................. 71
                 Certificate Issuance or Renewal Fees ..................................................................................... 71
                 Certificate Access Fees ........................................................................................................... 71
                 Revocation or Status Information Access Fees ...................................................................... 72
                 Fees for Other Services .......................................................................................................... 72
                 Refund Policy ......................................................................................................................... 72
  9.2      FINANCIAL RESPONSIBILITY ................................................................................................................... 72
                 Insurance Coverage ............................................................................................................... 72
                 Other Assets ........................................................................................................................... 72
                 Insurance or Warranty Coverage for End Entities ................................................................. 72
  9.3      CONFIDENTIALITY OF BUSINESS INFORMATION ......................................................................................... 72
                 Scope of Confidential Information ......................................................................................... 72
                 Information Not Within the Scope of Confidential Information ............................................ 72
                 Responsibility to Protect Confidential Information ................................................................ 72
  9.4      PRIVACY OF PERSONAL INFORMATION .................................................................................................... 72
                 Privacy Plan ........................................................................................................................... 72
                 Information Treated as Private .............................................................................................. 72
                 Information Not Deemed Private........................................................................................... 73
                 Responsibility to Protect Private Information ........................................................................ 73
                 Notice and Consent to Use Private Information .................................................................... 73
                 Disclosure Pursuant to Judicial or Administrative Process ..................................................... 73
                 Other Information Disclosure Circumstances ........................................................................ 73
  9.5      INTELLECTUAL PROPERTY RIGHTS ........................................................................................................... 73
  9.6      REPRESENTATIONS AND WARRANTIES..................................................................................................... 73
                 CA Representations and Warranties ...................................................................................... 73
                 RA Representations and Warranties ...................................................................................... 75
                 Subscriber Representations and Warranties ......................................................................... 75
                 Relying Party Representations and Warranties ..................................................................... 77
                 Representations and Warranties of Other Participants......................................................... 78
  9.7      DISCLAIMERS OF WARRANTIES .............................................................................................................. 78
  9.8      LIMITATIONS OF LIABILITY..................................................................................................................... 78
                 Exclusion of Certain Elements of Damages ............................................................................ 78
  9.9      INDEMNITIES ..................................................................................................................................... 78
                 Indemnification by an Issuer CA............................................................................................. 78
                 Indemnification by Subscribers .............................................................................................. 78
                 Indemnification by Relying Parties ........................................................................................ 78
  9.10     TERM AND TERMINATION..................................................................................................................... 78
                 Term ....................................................................................................................................... 78

GlobalSign CP (Certificate Policy)                                                                                                                     6 of 81
Version: 6.7
Termination ........................................................................................................................... 78
              Effect of Termination and Survival......................................................................................... 79
  9.11   INDIVIDUAL NOTICES AND COMMUNICATIONS WITH PARTICIPANTS .............................................................. 79
  9.12   AMENDMENTS ................................................................................................................................... 79
              Procedure for Amendment .................................................................................................... 79
              Notification Mechanism and Period ...................................................................................... 79
              Circumstances Under Which OID Must be Changed .............................................................. 79
  9.13   DISPUTE RESOLUTION PROCEDURES ....................................................................................................... 79
  9.14   GOVERNING LAW ............................................................................................................................... 79
  9.15   COMPLIANCE WITH APPLICABLE LAW...................................................................................................... 80
  9.16   MISCELLANEOUS PROVISIONS ............................................................................................................... 80
              Entire Agreement ................................................................................................................... 80
              Assignment ............................................................................................................................ 80
              Severability ............................................................................................................................ 80
              Enforcement (Attorney’s Fees and Waiver of Rights) ............................................................ 80
              Force Majeure ........................................................................................................................ 80
  9.17   OTHER PROVISIONS ............................................................................................................................ 80
              CA Chaining Agreement ......................................................................................................... 81
              PKI Infrastructure review ....................................................................................................... 81
              Subscriber CA implementation .............................................................................................. 81
              Ongoing requirements and audits ......................................................................................... 81

GlobalSign CP (Certificate Policy)                                                                                                            7 of 81
Version: 6.7
Document History

 Version    Release Date      Status & Description
 V4.0       03/22/12          Administrative update – Inclusion of additional
                              WebTrust       2.0    and     CA/BForum     Baseline
                              Requirements for issuance of SSL Certificates.
 V4.1       03/29/12          Addition of support for NAESB.
 V4.2       06/07/12          Additional CA/BForum Baseline Requirements
                              support
 V4.3       07/01/12          Additional CA/BForum Baseline Requirements
 V4.4       03/15/13          Extended validity period of PersonalSign,
                              Administrative updates.
                              Modification to NAESB Certificates incorporating
                              WEQ-012 v 3.0 updates
 V4.5       03/31/13          Statement of compliance to CA/Browser Forum
                              Baseline Requirements, EPKI specification update
 V4.6       03/07/14          Administrative updates/clarifications
                              Modified provisions to ensure compliance with
                              CA/Browser Forum Baseline Requirements
 V4.7       6/25/14           Modified availability requirement and maximum
                              process time for revocation
                              Administrative update/clarifications
 V4.8       09/02/14          Modifications to enhance the description of domain
                              validation processes, highlighted by public review.
 V4.9       03/05/15          Modified maximum validity period of Code Signing
                              certificate
                              GlobalSign’s new R6 root and readability
                              enhancements to cover new AATL offerings
 V5.0       08/15/15          Policy OIDs and Publication of all of GlobalSign’s
                              Non Constrained Subordinate CAs
 V5.1       05/02/16          Annual Review
                              Modified NAESB EIR requirements to reflect non
                              WEQ energy participants requirements
 V5.2       06/16/16          Adding Root R7 and R8 Certificates
 V5.3       08/11/16          Adding Test CA OID
                              Reflected changes from CABF Ballot 173
                              Clarification on Certificate Transparency
 V5.4       02/02/17          Removal of Root R2 & R4; addition of code signing
                              minimum requirements
 V5.5       08/07/17          Updates for AATL Digital Signing Service
                              Added CAA record checking requirement
                              Annual update/review to fix bugs

 V5.6       12/14/17          Updates related to Annual BR Self-Assessment
 V5.7       04/03/18          Max SSL validity set to 825 days
                              Specified that GlobalSign no longer generates keys
                              for SSL certificates

                              Updates for NAESB identify requirements
 V5.8       06/15/18          Updates for Qualified Certificates
 V5.9       11/05/18          Updates to revocation timelines in accordance with
                              CABF Ballot SC6
                              Made a variety of definition/acronym updates for
                              clarification.
 V6         03/12/19          Updated roles requiring separation of duties
                              Added new ICAs for AATL and Timestamping
                              Added new Email Domain Validation methods and
                              definitions
                              Added new Phone Domain Validation methods and
                              definitions
                              Added new IoT policy OIDs
 V6.1       05/30/2019        Added new GlobalSign R46/E46 Root Certificates
                              Added new Private Client Certificate Policy OID
                              Support for Qualified Timestamping and Qualified
                              Web Authentication Certificates

GlobalSign CP (Certificate Policy)                                                   8 of 81
Version: 6.7
Changed “re-key” definition to match WebTrust
 V6.2       09/25/2019        Removed reference to NAESB High Assurance
                              certificates
                              Removed “any other” method for IP Address
                              approval
 V6.3       03/31/2020        Added non-TLS roots
                              Updated address in section 1.5
                              Added more detail to AATL Individual/Organization
                              vetting requirements
                              Added new Timestamping Token OID
                              Added advanced electronic signature/seal (or
                              higher) as an alternative means to confirm authority
                              following COVID-19 emergency
                              Added notification period for subscribers regarding
                              expiration of certificates
                              Added new CABF code signing requirements
 V6.4       07/07/2020        Support for qualified certificates (non-QSCD) and
                              QSCD managed by GlobalSign.
                              Max SSL validity set to 397 days.
                              Removed code signing certificates for individuals.
                              Added hierarchy validation approach for eIDAS.
                              Updates for uniqueness of Names.
 V6.5       30/09/2020        Disclosure of Registration / Incorporating Agency.
                              Added S/MIME and Client Authentication certificate
                              products and OIDs.
                              Added revocation at GlobalSign’s discretion.
                              Updates to revocation reasons.
                              Removal of Root R7, R8.
 V6.6       29/12/2020        Updates for UK trust services
                              Revision of revocation requirements
                              Revision of OIDs
                              Updates for ballots SC28, SC30, SC31, SC33
                              Grammatical updates, language consistency, RFCs
                              Relying party liability for PSD2 certificates
                              Root inclusion feedback
                              Specification of KeyPurposeIds
 V6.7       30/03/2021        Updates for UK trust services
                              Clarification on max validity
                              Including affiliated entities
                              Added Timestamping Root E46
                              Revision of OIDs, including LRA OIDs
                              Clarified non-verified subscriber information
                              Grammatical updates, language consistency
                              Updates to operational periods and key pair usage
                              periods

GlobalSign CP (Certificate Policy)                                                   9 of 81
Version: 6.7
Acknowledgments
GlobalSign® and the GlobalSign Logo are registered trademarks of GMO GlobalSign K.K.

GlobalSign CP (Certificate Policy)                                                 10 of 81
Version: 6.7
1.0 Introduction
This Certificate Policy (CP) applies to the products and services of GlobalSign NV/SA and affiliated
entities (“GlobalSign”). Primarily, this pertains to the issuance and lifecycle management of
Certificates including validity checking services. GlobalSign may also provide additional services
such as timestamping. This CP may be updated from time to time as outlined in Section 1.5, Policy
Administration. The latest version may be found on the GlobalSign group company repository
https://www.globalsign.com/repository. (Alternative languages versions may be available to aid
Relying Parties and Subscribers in their understanding of this CP, however, in the event of any
inconsistency, the English version shall control).

A CP is a "named set of rules that indicates the applicability of a Digital Certificate to a particular
community and/or class of application with common security requirements.” This CP meets the
formal requirements of Internet Engineering Task Force (IETF) RFC 3647, dated November 2003
with regard to content, layout and format (RFC 3647 obsoletes RFC 2527). An RFC issued by IETF
is an authoritative source of guidance with regard to standard practices in the area of Electronic
Signatures and Certificate management. While certain section titles are included in this policy
according to the structure of RFC 3647, the topic may not necessarily apply to services of
GlobalSign. These sections have ‘No stipulation’ appended. Where necessary, additional
information is presented in subsections to the standard structure. Meeting the format requirements
of RFC 3647 enhances and facilitates the mapping and interoperability with other third party CAs
and provides Relying Parties with advance notice of GlobalSign’s practices and procedures.

This CP aims to comply with the requirements of:

    •   Browsers’ root programs
    •   RFC3647, Request for Comments: 3647, Internet X.509 Public Key Infrastructure:
        Certificate Policy and Certification Practices Framework, Chokhani, et al, November 2003
    •   North American Energy Standards Board (NAESB) Accreditation Requirements for
        Authorized Certificate Authorities
    •   WebTrust Principles and Criteria for Certification Authorities
    •   WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network
        Security
    •   WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL
    •   WebTrust Principles and Criteria for Certification Authorities – Code Signing Baseline
        Requirements
    •   Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July
        2014 on electronic identification and trust services for electronic transactions in the internal
        market and repealing Directive 1999/93/EC
    •   The Electronic Identification and Trust Services for Electronic Transactions (Amendment
        etc.) (EU Exit) Regulations 2019)
    •   The Electronic Identification and Trust Services for Electronic Transactions Regulation
        2016 (2016 No.696))

This CP conforms to current versions of the requirements:

    •   CA/Browser Forum Baseline Requirements for the Issuance and Management of
        Publicly-Trusted Certificates (“Baseline Requirements”)
    •   CA/Browser Forum Guidelines For The Issuance And Management Of Extended
        Validation Certificates (“EV Guidelines”)
    •   CA/Browser Forum Network and Certificate System Security Requirements
    •   CA/Browser Forum Baseline Requirements for Code Signing (“Baseline Requirements for
        Code Signing”)

published at http://www.cabforum.org. If there is any inconsistency between this document and the
Requirements above, the Requirements take precedence over this document.

This CP addresses areas of policy and practice such as, but not limited to, technical requirements,
security procedures, personnel and training needs, which are required to meet industry best
practices for Certificate lifecycle management. This CP applies to all Certificates issued by

GlobalSign CP (Certificate Policy)                                                             11 of 81
Version: 6.7
GlobalSign including its Root Certificates and any chaining services to third party
Subordinate/Issuing CAs. Root Certificates are used to manage Certificate hierarchies through the
creation of one or more Subordinate CAs that may or may not be controlled directly by the same
entity that manages the Root Certificate itself.

This CP is applicable to the Subscriber and/or Relying Party, who uses, relies upon or attempts to
rely upon certification services made available by the Certification Authority referring to this CP.

The English version of this CP is the primary version. In the event of any conflict or inconsistency
between the English CP and any localized or translated version, the provisions of the English
version shall prevail.

1.1       Overview
This CP applies to the complete GlobalSign hierarchy of GlobalSign and all Certificates that it
issues either directly through its own systems or indirectly through its Trusted Root™ (Previously
known as Root Sign) program including self-signed Root Certificates and Key Pairs. The purpose
of this CP is to present GlobalSign’s practices and procedures in managing Root Certificates and
Issuing CAs in order to demonstrate compliance with formal industry accepted accreditations such
as WebTrust. Additionally, eIDAS Regulation (Regulation (EU)N910/2014) (“eIDAS”) and eIDAS
(UK Legislation) and The Electronic Identification and Trust Services for Electronic Transactions
Regulations 2016 (“UK eIDAS”) provide for the recognition of Electronic Signatures that are used
for the purposes of authentication or nonrepudiation. In this regard, GlobalSign operates within the
scope of the applicable sections of the Law when delivering its services. Trust services for the
United Kingdom are operated by and provided through GMO GlobalSign LTD., an affiliate entity of
GlobalSign.

This CP sets out the objectives, roles, responsibilities and practices of all entities involved in the
lifecycle of Certificates issued under this CP. In simple terms, a CP states “what is to be adhered
to,” setting out an operational rule framework for products and services.

A Certification Practice Statement (CPS) complements this CP and states, “how the Certification
Authority adheres to the Certificate Policy.” A CPS provides an end user with a summary of the
processes, procedures and overall prevailing conditions that the Issuing CA (i.e. the entity which
provides the Subscriber its Certificate) will use in creating and managing such Certificates.
Likewise, GlobalSign Trusted Root Subscribers who themselves become an Issuing CA maintain
their own Certificate Practice Statement applicable to products and services they offer.

In addition to this CP and the CPS, GlobalSign maintains additional documented policies which
address such issues as:

      •    Business continuity and disaster recovery
      •    Security policy
      •    Personnel policies
      •    Key management policies
      •    Registration procedures

Additionally, other relevant documents include:

      •    The GlobalSign Warranty Policy that addresses issues on insurance;
      •    The GlobalSign Privacy Policy on the protection of personal data; and
      •    The GlobalSign Certification Practice Statement that addresses the methods and rules by
           which Certificates are delivered for the domain of the GlobalSign top roots.

All applicable GlobalSign policies are subject to audit by authorised third parties which GlobalSign
highlights on its public facing web site via a WebTrust Seal of Assurance. Additional information
can be made available upon request.

GlobalSign CP (Certificate Policy)                                                           12 of 81
Version: 6.7
Certificate Naming
The exact names of the GlobalSign Certificates that are governed by this CP are:

GlobalSign Public Root CA Certificates
    •   GlobalSign Root CA – R1 with fingerprint EBD41040E4BB3EC742C9E381D31EF2A41A48B6685C96E7CEF3C1DF6CD4331C99
    •   GlobalSign Root CA – R3 with fingerprint CBB522D7B7F127AD6A0113865BDF1CD4102E7D0759AF635A7CF4720DC963C53B
    •   GlobalSign Root CA – R5 with fingerprint 179FBC148A3DD00FD24EA13458CC43BFA7F59C8182D783A513F6EBEC100C8924
    •   GlobalSign Root CA – R6 with fingerprint 2CABEAFE37D06CA22ABA7391C0033D25982952C453647349763A3AB5AD6CCF69
    •   GlobalSign Root CA – R46 with fingerprint 4FA3126D8D3A11D1C4855A4F807CBAD6CF919D3A5A88B03BEA2C6372D93C40C9
    •   GlobalSign Root CA – E46 with fingerprint CBB9C44D84B8043E1050EA31A69F514955D7BFD2E2C6B49301019AD61D9F5058

GlobalSign Public Non-TLS Root CA Certificates
    •   GlobalSign Client Authentication Root R45 with fingerprint 165C7E810BD37C1D57CE9849ACCD500E5CB01EEA37DC550DB07E598AAD2474A8
    •   GlobalSign Client Authentication Root E45 with fingerprint 8B0F0FAA2C00FE0532A8A54E7BC5FD139C1922C4F10F0B16E10FB8BE1A634964
    •   GlobalSign Code Signing Root R45 with fingerprint 7B9D553E1C92CB6E8803E137F4F287D4363757F5D44B37D52F9FCA22FB97DF86
    •   GlobalSign Code Signing Root E45 with fingerprint 26C6C5FD4928FD57A8A4C5724FDD279745869C60C338E262FFE901C31BD1DB2B
    •   GlobalSign Document Signing Root R45 with fingerprint 38BE6C7EEB4547D82B9287F243AF32A9DEEB5DC5C9A87A0056F938D91B456A5A
    •   GlobalSign Document Signing Root E45 with fingerprint F86973BDD0514735E10C1190D0345BF89C77E1C4ADBD3F65963B803FD3C9E1FF
    •   GlobalSign Secure Mail Root R45 with fingerprint 319AF0A7729E6F89269C131EA6A3A16FCD86389FDCAB3C47A4A675C161A3F974
    •   GlobalSign Secure Mail Root E45 with fingerprint 5CBF6FB81FD417EA4128CD6F8172A3C9402094F74AB2ED3A06B4405D04F30B19
    •   GlobalSign Timestamping Root R45 with fingerprint 2BCBBFD66282C680491C8CD7735FDBBAB7A8079B127BEC60C535976834399AF7
    •   GlobalSign Timestamping Root E46 with fingerprint 4774674B94B78F5CCBEF89FDDEBDABBD894A71B55576B8CC5E6876BA3EAB4538
    •   GlobalSign IoT Root R60 with fingerprint 319AF0A7729E6F89269C131EA6A3A16FCD86389FDCAB3C47A4A675C161A3F974
    •   GlobalSign IoT Root E60 with fingerprint 5CBF6FB81FD417EA4128CD6F8172A3C9402094F74AB2ED3A06B4405D04F30B19

The Root Certificates above are Public, WebTrust-audited certificates that are configured for non-TLS use, to cater to GlobalSign’s various product offerings.
GlobalSign actively promotes the inclusion of the Root Certificates above in hardware and software platforms that are capable of supporting Certificates and
associated cryptographic services according to the specified GlobalSign use case and applicable hardware/software trust bits. Where possible, GlobalSign will
seek to enter into a contractual agreement with platform providers to ensure effective Root Certificate life cycle management. However, GlobalSign also actively
encourages platform providers at their own discretion to include GlobalSign Root Certificates without contractual obligation.

GlobalSign CP (Certificate Policy)                                                        13 of 81
Version: 6.7
You can also read